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Abstract. We present a type theory with some proof-irrelevance built into the conversion 
rule. We argue that this feature is useful when type theory is used as the logical formahsm 
underlying a theorem prover. We also show a close relation with the subset types of the 
theory of PVS. We show that in these theories, because of the additional extentionality, the 
axiom of choice implies the decidability of equality, that is, almost classical logic. Finally 
we describe a simple set-theoretic semantics. 



A formal proof system, or proof assistant, implements a formalism in a similar way a 
compiler implements a programming language. Among existing formalisms, dependent 
type systems are quite widespread. This can be related to various pleasant features; among 



(1) Proofs are objects of the formalism. The syntax is therefore smoothly uniform, and 
proofs can be rechecked at will. Also, only the correctness of the type-checker, a rel- 
atively small and well-identified piece of software, is critical for the reliability of the 
system (the "de Bruijn principle"). 

(2) The objects of the formalism are programs (typed A-terms) and are identified modulo 
computation (/3-conversion) . This makes the formalism well-adapted for problems deal- 
ing with program correctness. But also the conversion rule allows the computation steps 
not to appear in the proof; for instance 2 -|- 2 = 4 is simply proved by one reflexivity 
step, since this proposition is identified with 4 = 4 by conversion. In some cases this can 
lead to a dramatic space gain, using the result of certified computations inside a proof; 
spectacular recent applications include the formal proof of the four-color theorem [15] 
or formal primality proofs [18]. 

(3) Finally, type theories are naturally constructive. This makes stating decidability results 
much easier. Furthermore, combining this remark with the two points above, one comes 
to program extraction: taking a proof of a proposition Vx : A3y : B.P(x,y), one can 
erase pieces of the A-term in order to obtain a functional program of type A ^ B, whose 
input and result are certified to be related by P. Up to now however, program extraction 
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was more an external feature of implemented proof system^: programs certified by 
extraction are no longer objects of the formalism and cannot be used to assert facts like 
in the point above. 

Some related formalisms only build on some of the points above. For example PVS imple- 
ments a theory whose objects are functional programs, but where proofs are not objects of 
the formalism. 

An important remark about ([2]) is that the more terms are identified by the conversion 
rule, the more powerful this rule is. In order to identify more terms it thus is tempting to 
combine points (2) and (3) by integrating program extraction into the formalism so that 
the conversion rule does not require the computationally irrelevant parts of terms to be 
convertible. 

In what follows, we present and argue in favor of a type-theory along this line. More 
precisely, we claim that such a feature is useful in at least two respects. For one, it gives a 
more comfortable type theory, especially in the way it handles equality. Furthermore it is a 
good starting point to build a platform for programming with dependent types, that is to 
use the theorem prover also as a programming environment. Finally, on a more theoretical 
level, we will also see that by making the theory more extensional, proof-irrelevance brings 
type theory closer to set-theory regarding the consequences of the axiom of choice. 

The central idea of this work is certainly simple enough to be adjusted to various kinds 
of type theories, whether they are predicative or not, with various kinds of inductive types, 
more refined mechanisms to distinguish the computational parts of the proofs etc. ... In 
what follows we illustrate it by using a marking of the computational content which is 
as simple as possible. The extraction function we use is quite close to Letouzey's |2H I22j. 
except that we discard the inclusion rule Prop C Type, which would complicate the definition 
of the type theory and the semantics (see [29j for the last point). 

Related work Almost surprisingly, proof-irrelevant type theories do not seem to enjoy 
wide use yet. In the literature, they are often not studied for themselves, but as means 
for proving properties of other systems. This is the case for the work of Altenkirch |3j and 
Barthe [6] . One very interesting work is Pfenning's modal type theory which involves proof- 
irrelevance and a sophisticated way to pinpoint which definitional equality is to be used for 
each part of a term; in comparision we here stick to much simpler extraction mechanism. 
The NuPRL approach using a squash type |9] is very close to ours, but the extentional 
setting gives somewhat different results. Finally, let us mention recent work [5] by Barras 
and Bernardo who present a type theory with implicit arguments. This interesting proposal 
can be understood as a theory with proof-irrelevance, where the computational fragment is 
precisely Miquel's calculus [28]. Their proposal can be understood as a theory similar to 
ours, but with a more sophisticated way to mark what is computational and what is not. 

2. The Theory 

2.1. The A-terms. The core of our theory is a Pure Type System (PTS) extended with 
S-types and some inductive type definitions. In PTS's, the types of types are sorts; the set 
of sorts is 

S = {Prop} U {Type(i)|i G N} 



Except NuPRL; see related work. 
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As one can see, we keep the sort names of Coq. As usual, Prop is the impredicative sort and 
the sorts Type(i) give the hierarchy of predicative universes. It comes as no surprise that 
the system contains the usual syntactic constructs of PTSs; however it is comfortable, both 
for defining the conversion rule and constructing a model to tag the variables to indicate 
whether they correspond to a computational piece of code or not; in our case this means 
whether they live in the impredicative or a predicative level (i.e. whether the type of their 
type is Prop or a Type(z)). A similar tagging is done on the projections of S-types. Except 
for this detail, the backbone of the theory considered hereafter is essentially Luo's Extended 
Calculus of Constructions (ECC) p3] . 

The syntax of the ECC fragment is therefore 

s ::= Prop | Type(i) s ::= * [ o 

t ::= s I a^s I : t.t \ {t t) \ IlXs : t.t \ S^Xj : t.t \ <t,t >T,x:t.t 

I ^iW I ^2(*) 

r ::= [] I r(x : t). 

We sometimes call raw terms these terms, when we want to stress that they are considered 
independently of typing issues. The tagging of S is there to indicate whether the second 
component of the pair is computational or not (the first component will always be). For 
the same technical reason, we also tag the second projection 712- 

We will sometimes write x for x^, : A.B for S^x : A.B or vr2(t) for vr2(t) omitting 
the tag s when it is not relevant or can be infered from the context. 

The binding of variables is as usual. We write t[x \ u] for the substitution of the free 
occurrences of variable x in t by u. As has become custom, we will not deal with a-conversion 
here, and leave open the choice between named variables and de Bruijn indices. 

We also use the common practice of writing A ^ B (resp. A'x B) for IIx : A.B (resp. 
Ex : A.B) when x does not appear free in B. We also write IIx,?/ : A.B (resp. Ax,y : A.t) 
for IIx : ^.Ily : A.B (resp. Ax : A.Xy : A.t). 

2.2. Relaxed conversion. The aim of this work is the study of a relaxed conversion rule. 
While the idea is to identify terms with respect to typing information, the tagging of 
impredicative vs. predicative variables is sufficient to define such a conversion in a simple 
syntactic way. A variable or a second projection T^2{t) is computationally irrelevant when 
tagged with the * mark. This leads to the following definition. 

Definition 2.1 (Extraction). We can simply define the extraction relation [>£ as the con- 
textual closure of the following rewriting equations 

X* [>£ e Ax : A.e \>e e 
{e t) \>e e Ait) e. 
We write t>* for the reflexive-transitive closure of O^. We say that a term t is of tag * if 
t>*£ and of tag o if not. We write s{t) for the tag of t. 
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Definition 2.2 (Reduction). The /3-reduction 0^3 is defined as the contextual closure of 
the following equations 

(Ax^ : A.t u) 0/3 t[x^ \ u] if s(n) = s 
iTi{< a,b >^^:A.b) >i3 a ifs(a)=o 

7r|(< a, 6 >Sa;:A.B) l>/3 ft if s(6) = S. 

The restrictions on the right-hand side are there in order to ensure that the tag is 
preserved by reduction. Without them {Xx^ : Prop.Xo Prop) can reduce either to e or 
to Prop which would falsify the Church- Rosser property. Actually we will see that these 
restrictions are always satisfied on well-typed terms, but are necessary in order to assert the 
meta-theoretic properties below. While these restrictions are specific to our way of marking 
computational terms, other methods will probably yield similar technical difficulties. 

The relaxed reduction is the union of and >e- We write for the reflexive, 
symmetric and transitive closure of and \>*p^ for the transitive-reflexive closure of \> pe- 
lt is a good feature to have the predicative universes to be embedded in each other. 
It has been observed (Pollack, McKinna, Barras. . . ) that a smooth way to present this is 
to define a syntactic subtyping relation which combines this with =^ (or here =/3e). Note 
that this notion of subtyping should not be confused with, for instance, subtyping of subset 
types in the style of PVS. 

Definition 2.3 (Syntactic subtyping). The subtyping relation is defined on raw-terms as 
the transitive closure of the following equations 

Type(i) < Type(i + 1) T=p,T'^T< T' 

B <B' ^Ux : A.B < Ux : A.B'. 

2.3. Functional fragment typing rules. The typing rules for the kernel of our theory 
are given in PTS-style [4j and correspond to Luo's ECC. The differences are the use of 
subtyping in the conversion rule and the tagging of variables when they are "pushed" into 
the context. 

The rules are given in figure [H In the rule Prod, max is the maximum of two sorts for 
the order Prop < Type(O) < Type(l) < . . . 

2.4. Treatment of propositional equality. Propositional equality is a first example 
whose treatment changes when switching to a proof-irrelevant type theory. The definition 
itself is unchanged; two objects a and 6 of a given type A are equal if and only if they enjoy 
the same properties 

a=Ab = UP:A^ Prop.(P a) {P b) 

It is well-known that reflexivity, symmetry and transitivity of equality can easily be 
proved. When seen as an inductive definition, the definition of "=a" is viewed as its own 
elimination principle. 

Let us write refl for the canonical proof of reflexivity 

refl = \A : Jype{i).Xx : A.XP : A Prop.Ap : {P x).p 
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fPROr) ^^^^ fTYPE) ^^^^ 

^ ^ r h Prop : Type(z) ^ ^T\- Type(z) : Type(z + p) 

rh^:Type(i) T h A : Prop 

(Cont)— (Cont"^ 



r{xo : A) h wf ^ ^r(a;* : A) h wf 

(CoNv) — if A< B 

^ ' r\-t:B 

ThA-.s r(xs :A)\-B: Type(i) 
^^^^^^ r h Hxs : A.B : max(s, Type(z)) 

r h ^ : s r(a;s : ^) h B : Prop 
r h nx. : A.B : Prop 



r(a;:^)ht:S T h t : Hx, : Ai3 Thn:^ 

(Lam)—— — — - (App) — — — - — — — — (if s(u) = s) 

^ ' T \- Xx : A.t : Ux : A.B ^ ' VV {t u) : B\x\u\ ^ ^' ' 

r(xo ■.A)^B: Type(i) V{x^ : A)^ B : Prop 

(Sig) — (SiG 



r h S^xo : ^.5 : Type(z) ^ 'VV S*Xo : A.S : Prop 
r h a : A r(x : A) h 6 : 5 T h E=x : A.B : Type(z) 



(Pair) 



rh< a,h>Y.x;A.B-^^x: A.B 



(ProjI)— — — — - — (Proj2)- 



Figure 1: The ECC fragment 



In many cases, it is useful to extend this ehmination over the computational levels 

Eq_reci : HA : Type(z).nP : A Type(z).na, h : A.{P a) ^ a =Ah ^ {P h) 

There is however a peculiarity to Eq_rec: in Coq, it is defined by case analysis and therefore 
comes with a computation rule. The term (Eq_rec AP ah p e) oi type (P 6) reduces to p 
in the case where e is a canonical proof by reflexivity; in this case, a and h are convertible 
and thus coherence and normalization of the type theory are preserved. 

As shown in the next section, such a reduction rule is useful, especially when program- 
ming with dependent types. In our proof-irrelevant theory however, wc cannot rely on the 
information given by the equality proof e, since all equality proofs are treated as convert- 
ible. Furthermore, allowing, for any e, the reduction rule (Eq_rec A P ah -p e)t> p too 
permissive, since it easily breaks the subject reduction property in incoherent contexts. 

Wc therefore put the burden of checking convertibility between a and b on the reduction 
rule of Eq rec by extending reduction with the following, conditional rule 

(Eq_rec APahpe)X>p \i a=^h 
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When being precise, this means that and > are actuahy two mutual inductive defini- 
tions. 

An alternative would be the non-linear rule 

(Eq_rec APaape)>p 

but this allows an encoding of Klop's counter-example [20j and thus breaks the Church- 
Rosser property (for untyped terms). We thus develop the metatheory for the first version. 

2.5. Generalization. In Coq, computational eliminations are provided for more inductive 
definitions than just propositional equality. The condition is that 

(1) The definition has at most one constructor, 

(2) the arguments of this constructor are all, themselves, non-computational. 

It appears that it is reasonably straightforward to extend our type theory, by generalizing 
the Eq rec feature, in order to capture this Coq behavior in the case where the inductive 
definition is non-recursive. We briefly indicate how but without precise justification. The 
remainder of this paragraph is thus not considered in the meta-theoretical justifications; it 
is also not necessary for the rest of the article. 

We write IIx : A.T for IIxi : Ai. . . . Hxn '■ An-T and t u for {t ui ... 

Consider an inductive definition / : Tlx : j4.Prop with a unique constructor c : Ily : 
B.{I u). The non-computational elimination scheme is 

I_ind : HP : {lix : AProp).(ny : B.P u) Ux : A.I x P x 

with the reduction rule 

(I_ind X p a (cb)) \> (pb) 
We can then provide a computational elimination 

I_rec : HX : {Ux : AType).(ny : B.X u) ^ Ux : A.I x ^ X x 

with the following reduction rule 

(I_rec X p a i) \> (p e) if n a 

To understand the last condition, one should note that although the variables y are free in 
u, they do not interfere with the conversion since their types ensure they are all tagged by 
*. 

2.6. Data Types. In order to be practical, the theory needs to be extended by inductive 
definitions in the style of Coq, Lego and others. We do not detail the typing rules and 
liberally use integers, booleans, usual functions and predicates ranging over them. We 
refer to the Coq documentation |1H I14j : for a possibly more modern presentation [8j is 
interesting. 

Let us just mention that data types live in Type. That is, for instance, nat : Type(O); 
thus, their elements are of tag o. 
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3. Basic metatheory 

We sketch the basic meta-theory of the calculus defined up to here. The proof techniques 
are relatively traditional, even if one has to take care of the more delicate behavior of relaxed 
reduction for the first lemmas (similarly to |29j). 

Lemma 3.1. Ift [>^ t' , then s{t) = s{t'). Thus, the same is true if 1 1>^^ t' . 

Proof. By a straightforward case analysis of the form of t. □ 

Lemma 3.2 (/3-postponement). Ift\>*p^t', then there exists t" such that t\>*t" and t" \>*pt' . 

Proof. One first shows that \i t[> pt' \>e t", then there exists t'" such that t >* t'" and either 
t'" = t" or t'" >i3t" . This is done by checking how the two redexes are located with respect 
to each other. The proof of the lemma then easily follows. □ 

Lemma 3.3 (Church- Rosser). For t a raw term, ift [>^^ ti and 1 1>^^ t2, then there exists 
ts .such that t2 is and t2 l>^j is- 

Proof. By a quite straightforward adaptation of the usual Tait and Martin-Lof method. 
The delicate point was to choose the right formulation of the reduction rule specific to the 
elimination of propositional equality, as mentioned in section 12. 4[ □ 

An immediate but very important consequence is that 

Corollary 3.4 (Uniqueness of product formation). IfUx : A.B < Hx : A' .B' , then A 
A' and B < B' . 

Corollary 3.5. For any T , 

• T < Prop Prop < T <^ T =pe Prop T [>*^ Prop 

• T < Type(i) <^ T Type(j) with j < i 

• Type(i) < T <^ T [>*^ Type(j) with i < j 

• ifT <U andU <T then U =f3e T. 

Furthermore, [>e is obviously strongly normalizing. One therefore can "pre-cook" all 
terms by [>£ when checking relaxed convertibility. 

Lemma 3.6 (pre-cooking of terms). Let ti and t2 be raw terms. Let t'^ and t'2 be their 
respective \>£ -normal forms. Then, ti ^2 if and only if t\ =p t^. 

While this property is important for implementation, its converse is also true and 
semantically understandable. Computationally relevant /3-reductions are never blocked by 
not-yet-performed e-reductions. 

Lemma 3.7. Let ti be any raw term. Suppose ti >£ t2 ^^t^. Then there exists t4 such that 
ti >p ti >* t3. 

Proof. It is easy to see that \>s cannot create new /3-redexes, nor does it duplicate existing 
ones. □ 

Lemma 3.8. If tt> p^t' , for any termu and variable x g^^-j , one has t[xg(^^-j\u]\>i3st'[xs(^u^\u]. 
Thus, ift =13^ t' then t[xs(^u) \ u] =pe t'[xsi^u) \ u]. 

Proof. By straightforward induction over the structure of t. One uses the fact that, since 
and u have the same syntactic sort, the terms t and t[xgi^^-^ \ u] also have the same 
syntactic sort. □ 
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Lemma 3.9 (Substitution). IfT{x : A)A \- t : T and T \- a : A are derivable, if a and x 
have the same (syntactic) sort, then V^[x \ a] l~ t[x \ a] : T[x \ a] is derivable. 

Proof. By induction over the structure of the first derivation, hke in the usual proof. The 
condition over the syntactic sorts is necessary for the case of the conversion rule, in order 
to apply the previous lemma. □ 

Lemma 3.10 (Inversion or Stripping). IfV\-t:Tis derivable, then so are T \- wf and 
T \- T : s for some sort s. Furthermore, the following clauses hold. 



IfV\-x:Tis derivable, then: 

• (.X, u) G r, 

• T \- T : s is derivable, 

• U <T. 


IfT\-{tu):Vis derivable, then: 

• Fht -.Ux : U.W, 

• Fhu-.U, 

• W[x\u\ < V. 


IfrhXx: U.t : W is derivable, then: 

• r{x:U)\-t:T, 

• Ux : U.T < W. 


Ifr\- Ux : A.B : T is derivable, then 

• r h A : si, 

• T{x: A)h B : S2, 

• either S2 = Prop and Prop < T 

or max{si, S2) < T. 


//r h T,*x^ : A.B : T is derivable, then 

• Fh A: Type(i), 

• r{x : A) \- B : Prop, 

• Type(z) < T. 


IfTh S^Zo : A.B : T is derivable, then 

• r h ^ : Type(i), 

. r(x : ^) h S : Type(i), 

• Type{max{i,j)) < T. 


r h Ex* : A.B : T is not derivable. 


IfV \-< t,u >Sxo:T.u' y is derivable, 

• Sxo : T.U < V, 

• Tht:T, 

• T\-u: U[x<,\t], 

• s{t) = 0. 


// r h TTi (t) : T is derivable, then 

• r h t : : A.B, 

• A<T. 


IfT\-Tr2{t) :T is derivable, then 

• r h i : S=Xo : A.B, 

• B[x^\TTl{t)\ <T 


//r h Prop : T is derivable, then Type(l) < T 


IfT\- Type(i) : T, then Type(i + 1) < T 



Proof. Simultaneously by induction over the derivation. □ 
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Corollary 3.11 (Principal type). IfT\-t:T, then there exists U such that T \- t : U and 
for all V, ifTht:V, then U <V. 



Proof. By induction over the structure of i, using the previous lemma and corollaries [3 
and [331 □ 

Of course, subject reduction holds only for [>^-reduction, since e is not meant to be 
typable. 

Lemma 3.12 (Subject reduction). If T \- t : T is derivable, if t O/j t' (resp. T l>^ T' , 
r >f3 T'), then T h t' : T (resp. T h t : T' ,r' h t : T). 

Proof. By induction over the structure of t. Depending upon the position of the redex, one 
uses either the substitution or the stripping lemmas above. We only detail the case where 
a /3-reduction occurs at the root of the term. 

If t = Xx^ : U.v u, s{u) = s and t' = v[x^ \ u], we know that T{x^ : U) \- v : V , T \- u : U 
and \ u] < T. Thus we can apply lemma \3M to deduce 

r h v[x' \ u] : V[x' \ u] 

and 

r h V[x' \u]:s 

where s is the sort such that T(x^ : U) \- V : s. The result then follows through one 
application of the conversion rule. □ 

Lemma 3.13. If T \- t : T is derivable, then there exists a sort s such that T h T : s; 
furthermore F h T : Prop if and only if t is of tag *. 

Proof. By induction over the structure of t. The Church-Rosser property ensures that Prop 
and Type(i) are not convertible. □ 

A most important property is of course normalization. We do not claim any proof here, 
although we very strongly conjecture it. A smooth way to prove it is probably to build on 
top of the simple set-theoretical model using an interpretation of types as saturated A-sets 
as first proposed by Altenkirch [2| [27]. 

Conjecture 3.14 (Strong Normalization). If F h t : T is derivable, then t is strongly 
normalizing. 

Stating strong normalization is important in the practice of proof-checking, since it 
entails decidability of type-checking and type-inference. 

Corollary 3.15. Given T, it is decidable whether F h wf. Given F and a raw term t, it is 
decidable whether there exists T such that T h t : T holds. 

Proof. By induction over the structure of t, using the stripping lemma. Normalization 
ensures that the relation < is decidable for well-formed types. □ 

The other usual side-product of normalization is a syntactic assessment of constructiv- 

ity 

Corollary 3.16. // [] h t : Sx : A.B, then t\>*p < a,b >t,x:A.B with [] \- a : A and 
h & : B[x\a]. 

Proof. By case analysis over the normal form of t, using the stripping lemma. □ 
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4. Programming with dependent types 

We now list some applications of the relaxed conversion rule, which all follow the slogan that 
proof-irrelevance makes programming with dependent types more convenient and efficient. 

From now on, we will write {x : A\P} for S*x : A.P, that is for a S-type whose second 
component is non-computational. 

4.1. Dependent equality. Programming with dependent types means that terms occur 
in the type of computational objects (i.e. not only in propositions). The way equality is 
handled over such families of types is thus a crucial point which is often problematic in 
intensional type theories. 

Let us take a simple example. Suppose we have defined a data-type of arrays over 
some type A. If ra is a natural number, (tab n) is the type of arrays of size n. That is 
tab : nat — Type(i). Furthermore, let us assume we have a function modeling access to the 
array acc : Hn : nat. tab n nat — > A. 

Commutativity of addition can be proved in the theory: com : Ilm,p : nat.(m + p) = 
[p + m). Yet tab [m + p) and tab {p + m) are two distinct types with distinct inhabitants. 

For instance, if we have an array t : tab (m + p), we can use the operator Eq rec described 

above to transform it into an array of size p + m 

t' = Eq_rec nat tab {m + p) {p + m) t (com (m + p) {p + m)) : tab(p -|- m) 

Of course, t and t' should have the same inhabitants, and we would like to prove 

Hi : nat. acc [m + p) t i =a acc {p + m) t' i 

It is known |191 [25] that in order to do so, one needs the reduction rule for Eq rec together 
with a proof that equality proofs are unique. The latter property being generally established 
by a variant of what Streicher calls the "K axiom" 

K -.TiA: Type.na : A.HP : a =a a ^ Prop.(P (refl a)) ^ He : a =a a.{P e) 

where refl stands for the canonical proof by reflexivity. 

Here, since equality proofs are also irrelevant to conversion, this axiom becomes trivial. 
Actually, since {P e) and {P (refl a)) are convertible, this statement does not even need to 
be mentioned anymore, and the associated reduction rule becomes superfluous. 

In general, it should be interesting to transpose work like McBride's [25] in the frame- 
work of proof-irrelevant theories. 

4.2. Partial functions and equality over subset types. In the literature of type the- 
ory, subset types come in many flavors; they designate the restriction of a type to the 
elements verifying a certain predicate. The type {x : ^|-P} can be viewed as the con- 
structive statement "there exists an element of A verifying P", but also as the data-type 
A restricted to elements verifying P. In most current intensional type theories, the latter 
approach is not very practical since equality is defined over it in a too narrow way. We have 

<a,p> =p < a',p' > only if a =^ a' and p =p p'; the problem is that one would like 
to get rid of the second condition. The same is true for propositional Leibniz equality and 
one can establish 

<a,p> ={x:A\P} <a,p'> ^P=p[x\a]P 



PROOF-IRRELEVANT TYPE THEORIES 



11 



In general however, one is only interested in the validity of the assertion (P a), not the way 
it is proved. A program awaiting an argument of type {x : A\P} will behave identically if 
fed with < a,p > or < a,p' > . 

Therefore, each time a construct {x : A\P} is used indeed as a data-type, one cannot 
use Leibniz equality in practice. Instead, one has to define a less restrictive equivalence 
relation c^a,p which simply states that the two first components of the pair are equal 

< a,p > ~^,p < a',p' > = a=Aa' 

But using ~A,P instead of ={x:A\p} quickly becomes very tedious; typically, for every func- 
tion f : {x : A\P} B one has to prove 

nc, (J : {x : A\P} . c c^a,p c' ^ (/ c) =b (/ c') 

and even more specific statements if B is itself a subset type. 

In our theory, one can prove without difficulties that =[x:A\P} ^'^^ —A,p are equivalent, 
and there is indeed no need anymore for defining —a,p- Furthermore, one has < a,p > 
=pe < a,p' > , so the two terms are computationally identified which is stronger than 
Leibniz equality, avoids the use of the deductive level and makes proofs and developments 
more concise. 

Array bounds. The same can be observed when partial functions are curryficd. Let us take 
again the example of arrays, but suppose this time the access function awaits a proof that 
the index is within the bounds of the array. 

tab : nat — > Type(z) 

acc : Iln : nat.tah n — > Hz : nat.i < n ^ A 

So given an array t of size n, its corresponding access function is 

a = acc n t : Hi : nat.i < n ^ A 

In traditional type theory, this definition is cumbersome to use, since one has to state 
explicitly that the values (a i pi), where pi : i < n do not depend upon pi. The type above 
is therefore not sufficient to describe an array; instead one needs the additional condition 

Tirr ■ Hi : nat.Yipi,p',i : i < n.{a i pi) =a {a i Pi) 

where =a stands for the propositional Leibniz equality. 

This is again verbose and cumbersome since Tj^r has to be invoked repeatedly. In 
our theory, not only the condition Ti„. becomes trivial, since for any pi and p'^ one has 
(a i Pi) (a i p[), but this last coercion is stronger than propositional equality: there is 
no need anymore to have recourse to the deductive level and prove this equality. The proof 
terms are therefore clearer and smaller. 

4.3. On-the-fly extraction. An important point, which we only briefly mention here is the 
consequence for the implementation when switching to a proof-irrelevant theory. In a proof- 
checker, the environment consists of a sequence of definitions or lemmas which have been 
type-checked. If the proof-checker implements a proof-irrelevant theory, it is reasonable to 
keep two versions of each constant: the full proof-term, which can be printed or re-checked, 
and the extracted one (that is >£-normalized) which is used for conversion check. This 
would be even more natural when building on recent Coq implementations which already 
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use a dual storing of constants, the second representation being non-printable compiled code 
precisely used for fast conversion check. 

In other words, a proof-system built upon a theory as the one presented here would allow 
the user to efficiently exploit the computational behavior of a constructive proof in order to 
prove new facts. This makes the benefits of program extraction technology available inside 
the system and helps transforming proof-system into viable programming environments. 



5. Relating to PVS 

Subset types also form the core of PVS. In this formalism the objects of type {x : A\P} are 
also of type A, and objects of type A can be of type {x : ^|-P}. This makes type checking 
undecidable and is thus impossible in our setting. But we show that it is possible to build 
explicit coercions between the corresponding types of our theory which basically behave like 
the identity. 

What is presented in this section is strongly related to the work of Sozeau [35], which 
describes a way to provide a PVS style input mode for Coq. 

The following lemma states that the construction and destruction operations of our 
subset types can actually be omitted when checking conversion. 

Lemma 5.1 (Singleton simplification). The typing relation of our theory remains un- 
changed if we extend the \>s reduction of our theory 670. 

< a,p > j]*x;A.P t>e a 

7ri(c) >s c when c : T,*x : A.B 

The following definition is directly transposecH from PVS ^31j. We do not treat depen- 
dent types in full generality (see chapter 3 of [M])- 

Definition 5.2 (Maximal super-type). The maximal super-type is a partial function ^ 
from terms to terms, recursively defined by the following equations. In all these equations, 
A and B are of type Type(i) in a given context. 

H{A) = A if ^ is a data-type /i({x : A\P]) = ^{A) 

H{A^ B) = A^ n{B) ^{A xB) = fi{A) x /z(B). 

Definition 5.3 (r/-reduction). The generalized r/-reduction, written l>^, is the contextual 
closure of 

Ax : A.{t x) l>r] t if X is not free in t 

< 7ri(t),7r2(t) > >r, t 

We can now construct the coercion function from A to f^{A). 

Lemma 5.4. IfVhA: Type(i) and fi{A) is defined, then 
. r h fiiA) : Type(i), 



^To make the second clause rigorous, a solution is to modify slightly the theory by adding a tag the first 
projection {ntit) and 7rJ(f)). This does not significantly change the metatheory. 

"^A difference is that in PVS, propositions and booleans are identified; but this point is independent of 
this study. It is however possible to do the same in our theory by assuming a computational version of 
excluded- middle . 
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• there exists a function Jl{A) which is of type A —i- fJ,{A) in T, 

• furthermore, when applying the singleton simplification S to JI^A) one obtains an r]- 
expansion of the identity function; to be precise, S(jl{A)) [>*^^ Ax : A.x. 

Proof. It is almost trivial to check that T h fJ-{A) : Type(i). The two other clauses are 
proved by induction over the structure of A. 

• If A is of the form {x : B\P} with Jl{B) : B fi{B), then 

J1{A) = Xx:{x: B\P}.{Jl{B) 7ri{x)) : {x : B\P} 

Furthermore, since P : Prop, tti{x) is here simplified to x, and by induction hypothesis we 
know that S{'p{B)) x reduces to x. We can conclude that S{]l{A)) >£^^ Xx : {x : B\P}.x. 

• If ^ is of the form C ^ B with -p{B) : B fi{B), then 

J1{A) =\h:C ^ B.Xx : C.Ji{B) {h x) : C ^ n{B) 

Since (5(7l(B)) {h x)) {h x), we have S{-Jl{A)) o*^^ Xh : A ^ B.h. 

• If ^ is of the form B x C, then 

71(A) = Xx : B X C. < {J1{B) 7ri(x)), (71(C) 7r2(x)) >^(b)xa*{C) 
Again, the induction hypotheses assure that Jl{A) \>lf^^ Xx : B x C.x. □ 
The opposite operation, going from from fJ-{A) to A, can only be performed when some 
conditions are verified (type- checking conditions, or TCC's in PVS terminology). We can 
also transpose this to our theory, still keeping the simple computational behavior of the 
coercion function. This time however, our typing being less flexible than PVS', we have 
to define the coercion function and its type simultaneously; furthermore, in general, this 
operation is well-typed only if the type-theory supports generalized ry-reductiorQ. 

This unfortunate restriction is typical when defining transformations over programs 
with dependent types. It should however not be taken too seriously, and we believe this 
cosmetic imperfection can generally be tackled in practic^. 

Lemma 5.5 (subtype constraint). Given T h A : Type(i), if fi{A) is defined, then one can 
define it{A) and 7f{A) such that, in the theory where conversion is extended with l>^, one 
has 

r h tt{A) : fi{A) Prop and T h W{A) : Ux : fi{A).{7r{A) x) ^ A 
Furthermore, Tf{A) \>^p^-normalizes to Xx : ^{A).Xp : {tt{A) x).x. 

Proof. By straightforward induction. We only provide detail for the case where A = B ^ C . 
Then tt{A) = Xf : A ^ fi{B).yx : A.{tt{B) (/ x)) and W{A) = Xf : A ^ l^{B).Xp : Vx : 
A.iniB) (/ x)).Ax : A.{WiB) (/ x) {p x)). □ 



It should be mentionned that adding r;-reduction to such a type system yields non-trivial technical 
difficulties, which are mostly independent of the question of proof-irrelevance. 

^For one, in practical cases, ?7-does not seem necessary very often (only with some nested existentials). 
And even then, it should be possible to tackle the problem by proving the corresponding equality on the 
deductive level. 
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6. A MORE EXTENSIONAL THEORY 

Especially during the 1970s and 1980s, there was an intense debate about the respective 
advantages of intensional versus extensional type theories. The latter denomination seems 
to cover various features like replacing conversion by propositional equality in the conver- 
sion rule or adding primitive quotient types. In general, these features provide a more 
comfortable construction of some mathematical concepts and are closer to set-theoretical 
practice. But they break other desirable properties, like decidability of type-checking and 
strong normalization. 

The theory presented here should therefore be considered as belonging to the intentional 
family. However, we retrieve some features usually understood as extensional. 

6.1. The axiom of choice. Consider the usual form of the (typed) axiom of choice (AC) 

(Vx : A.3y : B.R{x, y))^3f -.A^ BNx : A.R{x, f x) 

When we transpose it into our type theory, we can choose to translate the existential 
quantifier either by a S-type, or the existential quantifier defined in Prop 

3x : A.P = UQ : Prop.(nx : A.P Q) Q : Prop 

If we use a S-type, we get a type which obviously inhabited, using the projections vri 
and 712- However, if we read the existential quantifiers of AC as defined above, we obtain a 
(non-computational) proposition which is not provable in type theory. 

Schematically, this propositions states that if lix : A.3y : B.R(x,y) is provable, then 
the corresponding function from A to B exists "in the model" . This assumption is strong 
and allows to encode IZF set theory into type theory (see [36]). 

What is new is that our proof-irrelevant type theory is extensional enough to perform 
the first part of Goodman and Myhill's proof based on Diaconescu's observation. Assuming 
AC, we can prove the decidability of equality. Consider any type A and two objects a and 
b of type A. We define a type corresponding to the unordered pair 

{a, b} = {x : A\x =a a V x =a b} 

Let us write a' (resp. b') for the element of {a, b} corresponding to a (resp. 6); so '/ri(a') a 
and TTi(b') =pe b- It is then easy to prove that 

Hz : {a, b}3e : bool.(e =bool true A vri(z) =a a) V (e =bool ^^Ise A vri(z) =a b) 

and from the axiom of choice we deduce 

3/ : {a, 6} bool.Hz : {a, b}.{f z =bool ^''^^ ^ ^i(^) =A a) V (/ z =bool ^a'se A Tri{z) =a b) 

Finally given such a function /, one can compare (/ a') and (/ b'), since both are booleans 
over which equality is decidable. 

The key point is then that, thanks to proof-irrelevance, the equivalence between a' ={a,fe} 
6' and a =a b is provable in the theory. Therefore, if (/ a') and (/ b') are different, so are a 
and b. On the other hand, if (/ a') =bool (-^ ~bool ^""^^ then 7ri{b') =a a and so b =a a. 
In the same way, (/ a') =bool (/ ~bool ^^'^^ entails b =a a- 

We thus deduce a =a by a ^a b and by generalizing with respect to a, b and A we 
obtain 

YIA : Type(i).na, b : A.a =a bV a j^a b 
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which is a quite classical statement. We have formalized this proof in Coq, assuming proof- 
irrelevance as an axiom. 

Note of course that this "decidability" is restricted to a disjunction in Prop and that it is 
not possible to build an actual generic decision function. Indeed, constructivity of results in 
the predicative fragment of the theory are preserved, even if assuming the excluded-middle 
in Prop. 

6.2. Other classical non-computational axioms. At present, we have not been able 
to deduce the excluded middle (EM) from the statement abov^. We leave this theoretical 
question to future investigations but it seems quite clear that in most cases, when admitting 
AC one will also be willing to admit EM. In fact both axioms are validated by the simple 
set-theoretical model and give a setting where the Type(i)'s are inhabited by computational 
types (i.e. from {x : A\P} we can compute x of type A) and Prop allows classical reasoning 
about those programs. 

Another practical statement which is validated by the set-theoretical model is the axiom 
that point-wise equal functions are equal 



Note that combining this axiom with AC (and thus decidability of equality) is already 
enough to prove (in Prop) the existence of a function deciding whether a Turing machine 
halts. 

6.3. Quotients and normalized types. Quotient sets are a typically extensional concept 
whose adaptation to type theory has always been problematic. Again, one has to choose 
between "effective" quotients and decidability of type-checking. Searching for a possible 
compromise, Courtieu [13J ended up with an interesting notion of normalized typ^. The 
idea is remarkably simple: given a function f : A ^ B, we can define {(/ x)\x : A} which is 
the subtype of B corresponding to the range of /. His rules are straightforwardly translated 
into our theory by simply taking 



Courtieu also gives the typing rules for functions going from A to {f{x)\x : A}, and 
back in the case where / is actually of type A ^ A. 

The relation with quotients being that in the case f : A ^ A we can understand 
{f{x)\x : A} as the type A quotiented by the relation 



In practice this appears to be often the case, and Courtieu describes several applications. 



(EXT) UA,B : Jype{i).Uf,g : A ^ B.{Ux : A.f x =b g x) ^ f =a^b 9 



{f{x)\x:A} = {y:B\3x:A.y =b f x} 



X R y 




In set theory, decidability of equality entails the excluded middle, since {x £ N|P} is equal to N if and 
only if P holds. 

similar notion has been developed for NuPRL [30| . 



16 



B. WERNER 



7. Simple semantics 

When justifying the correctness of a program extraction mechanism, one can use either 
semantics or syntax. In the first case, one builds a model and verifies it validates extrac- 
tion [7]. In the latter case, at least in the framework of type theories, this mainly means 
building a realizability interpretation on top of the strong normalization property [32]. This 
second approach is difficult here, since our theory is itself built using the erasure of non- 
computational terms. Furthermore, for complex theories, it appears easier to prove strong 
normalization using an already defined model [2t 1271 [T2]. 

For this reason alone, it is worth treating the topic of semantics here. Furthermore, 
we believe it is a good point for a theory meant to be used in a proof-system to bear 
simple semantics, in order to justify easily the validity of additional axioms like the ones 
mentioned in the previous section or extensions like the useful reduction rule for Eq rec 
(par. 12. 4p which is difficult to treat by purely syntactic means. 

Set-theoretical interpretations are the most straightforward way to provide semantics 
for typed A-calculi. It consists, given an interpretation Z of the free variables, of interpreting 
a type T by a set |T|j, and terms t : T by elements \t\x of \T\j. Furthermore, A-abstractions 
are interpreted by their set-theoretical counterparts: |Ax : A.t\x is the function mapping 
a £ \A\x to While these interpretations are not interesting for studying the 

dynamics of proof-normalization, they have the virtue of simplicity. 

Since Reynolds ^34j, it is well-known that impredicative or polymorphic types, as the 
inhabitants of Prop, bear only a trivial set-theoretical interpretation: if P : Prop, then \P\x 
is either the empty set or a singleton. In other words, all proofs of proposition P have 
the same interpretation. Since our theory precisely identifies all the elements of P at the 
computational level, the set-theoretical setting is, for its simplicity the most appealing for 
our goal. 

Although the set-theoretical model construction is not as simple as it might seem |29j . 
the setting is not new; We try to give a reasonably precise description here. 

7.1. Notations. Peter Aczel's way to encode set-theoretic functions provides a tempting 
framework for a model construction, and a previous version of this section relied on it. 
However, because of technical difficulties appearing when proving the subject reduction 
property for the semantic interpretation we finally favor the traditional set theoretic vision 
of functions, where the application f{x) is only defined when x belongs to the domain of 
the function /. 

If X is a mapping from variables to sets and a is a set, we write T; x <— a for the 
function mapping x to a and identical to 2 elsewhere. 

The interpretation of the hierarchy Type(i) goes beyond ZFC set theory and relies on 
the existence of inaccessible cardinals. This means, we postulate, for every natural number 
n the existence of a set Un such that 

• Un is closed by all set-theoretical operations. 

As usual, we write for the empty set. We write I for the canonical singleton {0}. If A 
is a set and (i?a)aeA a family of sets indexed over A, we use the set-theoretical dependent 
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|r h t|i = if t is of sort * 
In the other cases: 

|r h Xo|j = X(xo) 

|r h Ax : A.t\x = a G |r h A|j |r(x : A) h t\x-x^a 

\T^{tu)\x = |rht|i(|rhnji) 

|rhSx:AS|x = S„e|rhA|i|r(x : ^) hB|x;^^„ 

|r h nx : A.B\j = Pi |r(x : A) h if r h nx : A.B : Prop 

ae|rhA|x 

|r h IIx : A.B\x = n„g|p^^|^|r(x : A) h B\x-x*-a in the other cases 

|r h< t, u >j:x:A.b \j = (|r h |r h n|i) 

|r h 'TTi{t)\x = Oi if |r h t|x is a pair (0:1,02) 

irhPropli = {0;I} 

|rhType(i)|x = 

\r h {Eq_rec A P a b p e)\x = \T h p\x 

Figure 2: Definition of the semantics 

products and sums 

UaeABa = {/ € A ^ U Va G A.f{a) G Ba} 

aeA 

T^aeABa = {(a,6) G Ax J aG AA6G54 

Finally we write x ^ A ^ t for the set-theoretical function construction and, of course, 
/(x) for set-theoretical function application. 

7.2. Construction. Over the ECC fragment of the type theory, the interpretation is con- 
structed straightforwardly. The fact that non-computational terms are syntacticly tagged 
makes the definition easier. We define 

Definition 7.1. For any mapping Z from variables to UjeN^*' define a mapping asso- 
ciating a set |r h t\x to a term t and a context F. This function is defined by induction 
over the size of t by the following equations of figure O we can restrict ourselves to the case 
where F h t : T for some T. 

The following extension of interpretations to contexts is the usual. 

Definition 7.2. We define the condition Z G |F| by the following clauses 

•:^e|[]|, 

• IG |F| ^Z{x) G iFhylli^lG |F(x : A)\. 

This definition should not be surprising. It is a partial definition, because of two clauses 

• The case of the application, since |F h (i u)\x is only defined when |F h t\x is a (set- 
theoretic) function and its domains contains |F h u\x- 
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• The cases of the projections, since |r h ■7Ti{t)\j is only defined when |r h t\x is a (set- 
theoretic) pair. 

Note also that the definition depends upon T only to discriminate between the case where 
Ux : A.B is impredicative and is not. A more interesting technical point is the last clause: by 
anticipating the reduction of Eq_rec we have a total definition which is obviously invariant 
by reduction. 

Lemma 7.3 (Substitutivity). Suppose T{xs ■ U)A h t : T, T \- u : U and s = s{u). Suppose 
furthermore 

(1) |r(x : U)A\ is defined, 

(2) if J G \T{x : U)A\ \T{x : U)A H t\x G |r(x : U)A h T\x, 

(3) xg |r| ^ |r h u\x G |r h u\x. 

Let I G |rA[x \ n]|; we have 

• |rA[x \ li] H t[x \ ii\\x is defined and equal to \T{xs : U)A h t\x-x^\Vhu\j: 

• {l;x^ |r hull) € ||r(x : U)A\. 

Proof. By a simple induction over the structure of the derivation. 

Note that in the case where t is of the form liy : A.B, one uses the fact that typing is 
preserved by substitution (lemma 13. 9p in order to ensure that the applied clause remains 
the same (IIx : A.B being of type Prop or Type(i)). □ 

Lemma 7.4 (Correctness for reduction). Let T \- t : T be derivable; have X G |r| such that 
|r h t\x is defined. Lftt>^ t' , then \T h t'\x = [F h t\x. 

Proof. By induction over the typing derivation. As pointed out in [29], the restriction on 
the /3-reduction that ensures that the tag does not change is essential here. □ 

Corollary 7.5. Let T \- t : T and T \- t' : T be derivable; have I G |r| such that \T h t\x 
and |r h t'\x are defined, t t' , then we have \t\x = \t'\x- 

Soundness is then proved without much difficulty. 

Theorem 7.6. // F h wf is derivable, then \T\ is defined. If T \- t : T is derivable, and 
T G |r| then \T h t\x G |r h T\x (and both objects are defined). 

Proof. By induction over the derivation. When checking the correctness of the interpretation 
of Eq rec, one simply has to remark that propositional Leibniz equality is indeed interpreted 
by set-theoretical equality; that is, if |r h a\x and |r h b\x are both elements of |r h A\x, 
then 

• [r h a =A 6|x = I if |r h a\x = |r h b\x, 

• [r h a =A 6|x = if r h \a\x ^\TV- b\x. □ 

It is easy to check that the axioms AC, EM and EXT of the previous section are valid 
in this model. 

8. Conclusion and further work 

We have tried to show that a relaxed conversion rule can make type theories more practical, 
without necessarily giving up normalization or decidable type checking. In particular, we 
have shown that this approach brings closer the world of PVS and type theories of the Coq 
family. 
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We also view this as a contribution to closing the gap between proof systems like Coq 
and safe programming environments like Dependent ML or ATS [10\ [37] . But this will only 
be assessed by practice; the first step is thus to implement such a theory. 
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